Skip to content

[Bug] Critical Path Traversal and Arbitrary File Write in save_code_to_project (feature.py) #716

Description

@QiuYucheng2003

Describe the bug
There is a severe Path Traversal vulnerability in src/agents/feature/feature.py within the save_code_to_project function. The application extracts the filename directly from the LLM's response (file['file']) and concatenates it using os.path.join() without any path sanitization or boundary checks.

If an attacker injects a malicious payload (e.g., via socket communication / prompt injection) that forces the model to output a filepath containing ../ sequences or absolute paths, os.path.join() will resolve the path outside the intended project directory. The subsequent open(..., "w") operation will blindly overwrite arbitrary files on the host system, leading to severe environment destruction or potential Remote Code Execution (RCE).

How To Reproduce
Steps to reproduce the behavior (example):

  1. Send a crafted payload via the socket communication interface that forces the LLM to output a Markdown block with a directory traversal path. For example:
    File: ../../../../../../root/.ssh/authorized_keys:

  2. The validate_response function parses this and sets file['file'] to ../../../../../../root/.ssh/authorized_keys.

  3. The save_code_to_project function executes:
    os.path.join(self.project_dir, project_name, "../../../../../../root/.ssh/authorized_keys")

  4. os.makedirs and open(..., "w") execute, escaping the workspace and overwriting the host's critical files.

Expected behavior
The application must validate and sanitize the extracted file['file'] before writing it to the disk. It should ensure that the final resolved absolute path strictly resides within the intended project workspace.

Screenshots and logs
Note: Discovered via static code analysis, so runtime logs are not applicable. Vulnerable code snippet in src/agents/feature/feature.py:
def save_code_to_project(self, response: List[Dict[str, str]], project_name: str):
# ...
for file in response:
# [!] VULNERABILITY: No path validation before os.path.join
file_path = os.path.join(self.project_dir, project_name, file['file'])
file_path_dir = os.path.dirname(file_path)
os.makedirs(file_path_dir, exist_ok=True)

    # [!] Arbitrary file overwrite
    with open(file_path, "w", encoding="utf-8") as f:
        f.write(file["code"])

Additional context
Recommended Fix:
Implement strict path boundary validation before performing any file operations.

base_path = os.path.abspath(os.path.join(self.project_dir, project_name))

Resolve the absolute path of the target file

file_path = os.path.abspath(os.path.join(base_path, file['file']))

Security assertion: ensure the target path is strictly within the base_path

if not file_path.startswith(base_path + os.sep):
raise PermissionError("Path traversal attempt detected!")

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions